1. Technical Field
This disclosure relates generally to corporate data security and in particular to detecting that a computing device may not be secure based on inconsistent identity associations with identity providers associated with an enterprise.
2. Background of the Related Art
User authentication is one function that service providers offer to ensure that users accessing resources (e.g., applications, web content, etc.) are authorized to do so. To ensure that a user is not an imposter, service providers (e.g., web servers) generally ask for a user's username and password to prove identity before authorizing access to resources. Single sign-on (SSO) is an access control mechanism which enables a user to authenticate once (e.g., provide a username and password) and gain access to software resources across multiple systems. Typically, an SSO system enables user access to resources within an enterprise or an organization. Federated Single Sign-on (F-SSO) extends the concept of single sign-on across multiple enterprises, thus establishing partnerships between different organizations and enterprises. F-SSO systems typically include application level protocols that allow one enterprise (e.g., an identity provider) to supply a user's identity and other attributes to another enterprise (e.g., a service provider). In other words, an F-SSO system helps transport the user's credentials from the identity provider to the service provider using any suitable protocol. Typically, current F-SSO techniques use HTTP as the transport protocol.
In an enterprise environment, unsecured user credentials and unsecured personal computing devices represent a significant threat to corporate data security. Often, sensitive information is accessed from one individual's computing device using another's credentials either with or without consent. The former situation usually represents a violation of corporate security policy (i.e. sharing of credentials), while the latter scenario represents the more serious possibility of credential theft. Some organizations, mainly financial ones, have attempted to solve the credential issue using smart card tokens in a two factor authentication approach (i.e., token+password) and very short inactivity timers. This approach is expensive and not practical for everyday commodity workstation security or “bring you own device” situations, which are becoming more prevalent. These environments, which represent the vast majority of organizations, tend to rely solely on password protection and relatively long inactivity time-outs.
In addition to credentials, unsecured personal computing devices left unattended present the opportunity for unauthorized information access and transferal. A common approach to solving this issue is to perform deep content inspection on all data leaving the corporate network in an attempt to detect sensitive information. An obvious flaw with this approach is that any encrypted tunnel connection can defeat such inspection unless the corporation also has implemented a man-in-the-middle approach at their network boundaries. Other prior art solutions include monitoring employee behavior, building behavior models or scores, and then detecting deviations from those expected behaviors to assess potential security issues. These techniques are complex and expensive to implement reliably.